PYSEC-2026-2056

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/xhtml2pdf/PYSEC-2026-2056.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2056
Aliases
Published
2026-07-07T14:34:42.774289Z
Modified
2026-07-07T17:48:17.621101873Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
xhtml2pdf Denial of Service via crafted string
Details

An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.

References

Affected packages

PyPI / xhtml2pdf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.2.16

Affected versions

0.*
0.0.0
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.1a1
0.1a2
0.1a3
0.1a4
0.1b1
0.1b2
0.1b3
0.2b1
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/xhtml2pdf/PYSEC-2026-2056.yaml"